Archive for the ‘Security’ Category

When it comes to erasing your tracks on the web, nothing is more pernicious and difficult to delete than the Flash-based cookie. Technically known as “local shared objects,” Flash cookies don’t go away when you clear your browser-based cookies. Instead they hang around, potentially collecting data without your knowledge or consent.

To delete Flash cookies you have to navigate through the Flash Player settings dialog. Unfortunately most users don’t know how to do that and Adobe has, until now, put very little effort into simplifying the process (it has at least made Flash respect the “private browsing” mode in modern browsers).

Now Adobe is finally taking some steps toward simplifying the process of deleting Flash cookies. The company has announced it is working on a new API that will allow your browser to delete Flash cookies along with the rest of your cookies. For now only Mozilla and Google are working on the API with Adobe, but presumably Adobe is talking to Microsoft and Apple as well.

While there’s no shipping code at this point, if the API were to make it into Firefox and Chrome it would give users an easy-to-find menu for quickly clearly Flash cookies. Adobe’s blog post says users can expect to see the changes “in the first half of the year.”

The move would no doubt by a small boon to privacy, but as Ars Technica points out, Flash cookies aren’t the only source of hard-to-defeat, persistant online tracking. For instance, the dreaded “evercookie” stores data in no less than 13 places and is nearly impossible for the average user to delete.

Still, for those annoyed at the complexities of deleting Flash cookies, things may soon, thankfully, get a bit simpler.

Earlier this year, the Firefox add-on Firesheep created quite a controversy by making it easy to capture unencrypted web traffic.

Firesheep sniffs unencrypted cookies sent across open wi-fi networks. That means anyone with Firesheep installed can watch your browsing sessions while you lounge at Starbucks and grab your log-in credentials for Facebook, Twitter or other popular sites. Armed with those credentials, anyone using Firesheep can essentially masquerade as you all over the web, logging in to other social sites, blogs and news sites using your Facebook or Twitter username and password.

None of Firesheep’s mechanisms are new. But Firesheep made sniffing web traffic point-and-click simple — it was suddenly dead easy to do something that used to require a good bit of hacking knowledge.

The best way to protect yourself from Firesheep is simply avoid connecting to unencrypted sites when you’re on an open wi-fi network. That means making sure that you connect over HTTPS rather than HTTP everywhere you surf. But sadly, doing so is complicated and depends on which site you’re trying to connect to.

That’s where the Electronic Frontier Foundation’s HTTPS Everywhere Firefox add-on comes in. The extension makes it easy to ensure you’re connecting to secure sites by rewriting all requests to an HTTPS URL whenever you visit one of the sites it supports.

Of course if the website you’d like to visit doesn’t support HTTPS, there’s nothing the add-on can do, but for many big sites — Twitter, Facebook, Google, PayPal, The New York Times, Bit.ly, Amazon — HTTPS Everywhere automates the process for you.

With HTTPS Everywhere installed, if you type “twitter.com” in the Firefox URL bar, the browser will automatically connect to https://twitter.com rather than http://twitter.com.

That’s a good start, but it won’t completely protect you from anyone sniffing with Firesheep. The latest beta release of HTTPS Everywhere, released over the long weekend, improves the add-on’s protection against Firesheep, but you’ll need to do some extra stuff.

First, head the HTTPS Everywhere preferences (Tools -> Add Ons -> HTTPS Everywhere -> Preferences) and check the “Facebook+” rule. Then install the Adblock Plus extension and use it to block the insecure http:// advertisements and tracking sites that Facebook (and other sites) sometimes include. There are more instructions on the EFF’s site.

Now you can browse Facebook at the coffee shop in relative peace. Certain parts of Facebook may not work properly — some applications can’t use HTTPS, and the chat app won’t work — but at least you aren’t broadcasting your login credentials to anyone who wants to listen. The EFF says it has alerted Facebook to the incompatibilities, and that it’s waiting for Facebook to fix them.

Think your web browser is secure? Think again. Nearly every common browser on the web has been compromised as part of the Pwn2Own contest at the annual CanSecWest security conference.

Whether it was Internet Explorer on WIndows 7, Safari on OS X, Firefox on Windows or Mobile Safari on the iPhone, just about every browser on the market proved compromisable in some way.

Perhaps the most notable of the hacks is the iPhone exploit, in which a hacker managed to download the entire SMS database of a fully patched (non-jailbroken) iPhone 3GS, grabbing the complete list of contacts and any stored messages.

As in the real world, the Pwn2Own exploit code was delivered via specially-crafted, malicious websites which target a specific flaw in your browser.

Safari, Firefox and Internet Explorer were all compromised, but there is one notable exception — Google’s Chrome browser.

One of the key aspects of Chrome that has — thus far — stopped the Pwn2Own hackers is its tightly sandboxed code, which makes it very difficult to exploit. Which isn’t to say there aren’t bugs in Chrome, just that exploiting them to do dirty work outside of Chrome, and thus compromise Windows, Linux or OS X, is much more difficult than it is with other browsers.

For users of IE, Firefox, Safari and Mobile Safari, the only real solution for any security woes is to wait for software updates patching the flaws. Microsoft, which is a CanSecWest sponsor, says it’s already investigating the flaws in Internet Explorer.

Given that one contestant arrived at Pwn2Own with some 20 working exploits for OS X, we’re hoping Apple does the same, but sadly, the company is notorious lax when it comes to patching security flaws in its software.

If you’d like more information about the specific exploits used on each browser, see CNet’s coverage of the nitty-gritty Pwn2Own details.

No programmer is perfect, but some mistakes are more dangerous than others. While some mistakes might just slow down your site, others can open up vulnerabilities that expose your code, your database and even your users to all manner of attack.

To help you identify the more serious errors common in programs of all types, a group of top software security experts in the US and Europe have released their Top 25 Most Dangerous Programming Errors.

Unsurprisingly, cross-site scripting vulnerabilities and improperly handled SQL top the list of common and dangerous mistakes. Remember kids, sanitize your database inputs; you just never know when someone is going to name their child: “Robert’) DROP TABLE Students;”

While not all the errors in the list are common in web programming, some of the more serious things are concerns for web developers — cross-site request forgeries, missing encryption of sensitive data and unrestricted file uploads are all common web programming issues.

Also interesting is the weaknesses by language section, which breaks down common mistakes in PHP, Java, Perl and C/C++. No doubt web developers would like to have seen Python and Ruby in that list, but it should at least be useful for PHP and Perl programmers.

The latest beta release of Google Chrome adds a slew of much needed privacy and content controls — as well as automatic page translation — to Google’s fast, but slightly feature-deficient browser.

The new features — which put Chrome on par with other browsers when it comes to privacy controls — are so far only available to those using the beta channel. Google says the new privacy controls will make it to the stable channel in the coming weeks. If you’d like to switch channels, and try out the new features now, head to the Chrome channel changer page.

The new features allow for much more fine-grained control of cookies, images, JavaScript, plug-ins, and pop-up windows, allowing you to always block them, always allow them or only allow them from trusted sites. The ability to whitelist specific sites matches what Firefox (and others) have long offered and helps close the feature gap between the two browsers.

To access the new controls in the latest release, head to the wrench menu and select “Options.” From there, click the “Under the Hood” tab and chose “Content settings.”

If you elect to disable cookies (or any of the other options) Chrome will display an icon in the URL bar which you can click to add an exception. The process is unfortunately a bit awkward, requiring you to type in the domain exceptions yourself. Choosing the “Ask me” option provides a more automated experience (and a quick lesson in just how many cookies are being set in your browser).

In a particularly nice touch, Chrome offers a link to control Flash cookies via Adobe’s setting page. Other browsers do not (without extensions) provide a way to stop these particularly pernicious cookies.

Chrome’s new features aren’t just for privacy either. The image-blocking feature could be used as a primitive ad blocker, provided you’re willing add the necessary domains. Image blocking can also be handy in situations where your internet connection speeds are slow.

Also part of the new beta release is automatic web page translation. When the language of the page you’re visiting is different from your language setting, Chrome will now offer to translate the page using Google Translate. While machine translations aren’t perfect, Google Translate isn’t bad for conveying the basics of a multilingual page.

If you’d like to take Chrome 4.1 beta for a spin, head over to the beta download page. For more details on the privacy controls, here’s Google’s video intro: